<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'self'">
        <script src="/resources/testharness.js"></script>
        <script src="/resources/testharnessreport.js"></script>
        <script>
            var t = async_test("blob: does not match 'self' (see step 2 of http://www.w3.org/TR/CSP2/#match-source-expression)");

            window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) {
                fs.root.getFile('fail.js', {create: true}, function(fileEntry) {
                    fileEntry.createWriter(function(fileWriter) {
                        fileWriter.onwriteend = function(e) {
                            var script = document.createElement('script');

                            script.addEventListener('load', t.step_func(function () {
                                assert_unreached();
                            }));

                            script.addEventListener('error', t.step_func(function () {
                                t.done();
                            }));

                            script.src = fileEntry.toURL('application/javascript');
                            document.body.appendChild(script);
                        };

                        // Create a new Blob and write it to pass.js.
                        var b = new Blob(['assert_unreached();'], {type: 'application/javascript'});
                        fileWriter.write(b);
                    });
                });
            });
        </script>
    </head>
    <body>
    </body>
</html>
